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RELATED APPEALS AND INTERFERENCES 

Applicant's representative has not identified, and does not know of, any other appeals 
of interferences which will directly affect or be directly affected by or have a bearing on the 
Board's decision in the pending appeal. 

STATUS OF CLAIMS 

Claims 1-10 are pending in the application. Claims were finally rejected in the Office 
Action dated February 28, 2005. Applicant's appeal the final rejection of claims 1-10, which 
are copied in the attached CLAIMS APPENDIX. 

STATUS OF AMENDMENTS 

No Amendment After Final is enclosed with this brief. The last Response was filed 
September 7, 2004. 

SUMMARY OF CLAIMED SUBJECT MATTER 

The current application is directed towards a method for securing control- 
device-logical-unit ("CDLUN") operations within a disk-array controller (206 in Figure 2), or 
in other mass-storage-device controllers, invoked by remote host computers. As explained in 
the current application in the two paragraphs beginning on line 27 of page 4, a CDLUN is 
essentially a type of virtual LUN provided by a mass-storage controller to allow remote, host 
computers to invoke controller functionality involving multiple LUNs. As explained in the 
current application, beginning on line 16 of page 3, a LUN, or logical unit, represents some 
portion of the storage capabilities of a mass-storage-device, and a disk-array controller, or 
other mass-storage-device controller, provides LUNs (208-215 in Figure 2) as interfaces to 
the various portions, or partitions, of mass-storage space (203-205 in Figure 2) within a mass- 
storage device (202 in Figure 2). Certain operations, such as LUN mirroring, involve 
multiple LUNs. The CDLUN was devised as a target for addressing requests by remote host 
computers to a mass-storage-device controller for multi-LUN, or multi-partition, operations, 
such as a request to mirror one LUN to a different LUN, and for other mass-storage-device 
controller operations. 

Although CDLUNs serve admirably in the capacity intended, an additional 
problem was subsequently discovered. In general, access to individual LUNs, and to 
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operations carried out with respect to individual LUNs, is controlled by various security 
mechanisms. For example, a remote host computer storing sensitive data on a particular 
LUN of a disk array generally arranges for the LUN storing sensitive data to be at least write- 
protected, and often both read-protected and write-protected, so that only the remote host 
computer, and no other remote host computer, can access the sensitive data. These security 
mechanisms are easily extended to CDLUNs. Thus, for example, only authorized remote 
host computers can request mirroring operations through a particular CDLUN. However, 
these security mechanisms have proven to be inadequate to prevent unauthorized access to 
individual LUNs as a result of multi-LUN operations requested through CDLUNs. For 
example, although remote host computer A may have neither read nor write access to LUN 
X, remote host computer A may still alter the contents of LUN X by, for example, requesting 
that LUN Y be mirrored to LUN X by sending a multi-LUN request to a CDLUN to which 
remote host computer A is authorized to send multi-LUN requests. Embodiments of the 
present invention address this potential security and access problem, and other related 
problems. 

Independent claim 1, and dependent claims 2-5 that depend from claim 1, 
claim a method for authorizing access by remote entities to logical units provided by a mass 
storage device. The method includes steps of: (1) providing an access table that includes 
entries that each represents authorization of a particular remote entity to access a particular 
logical unit; (2) providing a supplemental access table that includes entries that each 
represents authorization of a particular control device logical unit to access a particular 
logical unit; and (3) when a remote entity requests execution of an operation directed to a 
specified control device logical unit and involving one or more additional specified logical 
units, authorizing the request for execution of the operation only when an entry currently 
exists in the access table that represents authorization of the remote entity to access the 
specified control device logical unit and, for each of the one or more additional specified 
logical units, an entry exists in the supplemental access table that represents authorization of 
the specified control device logical unit to access the additional specified logical unit. 

Independent claim 6, and dependent claims 7-10 that depend from claim 6, 
claim an authorization system for authorizing access by remote entities to logical units 
provided by a mass storage device. The claimed authorization system includes: (1) a request 
detecting component that detects requests for execution of an operation generated by a 
remote entity; (2) an access table that includes entries that each represents authorization of a 
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particular remote entity to access a particular logical unit; (3) a supplemental access table that 
includes entries that each represents authorization of a particular control device logical unit to 
access a particular logical unit; and (4) control logic that authorizes a request made by a 
remote entity, detected by the request detecting component, directed to a specified control 
device logical unit and involving one or more additional specified logical units only when an 
entry exists in the access table that represents authorization of the remote entity to access the 
specified control device logical unit and, for each of the one or more additional specified 
logical units, an entry exists in the supplemental access table that represents authorization of 
the specified control device logical unit to access the additional specified logical unit. 

GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 

1. Whether the 35 U.S.C. § 1 12, second paragraph rejections of claims 1, 2, 4-5, 7, and 
9-10, the 35 U.S.C. § 102(e) rejection of claims 1-10 as being anticipated by Ito et al., U.S. 
Patent No. 6,684,209 ("Ito"), or the 35 U.S.C. 103(a) rejections of claims 1-2, 4, 6-7, and 9 as 
being obvious over Tulloch, "Administering Internet Information Server 4," New York, 
McGraw-Hill Professional, 1998, ISBN: 0072128232 ("Tulloch") in view of "Microsoft 
Windows NT Server, Resource Guide," Microsoft Press, 1996, ISBN: 1,57231,344,7 
("Windows NT"), represent reasonable and substantial new grounds for rejection in the 
Office Action of November 1 1, 2005 ("Office Action") that would supplement or eclipse the 
issues already identified in the Appeal Brief originally filed by Applicants on July 28, 2005. 

ARGUMENT 

Claims 1-10 are currently pending in the application. In an Office Action 
dated November 1 1, 2005 ("Office Action"), the Examiner rejected claims 1, 2, 4-5, 7, and 9- 
10 under 35 U.S.C. § 112, second paragraph, rejected claims 1-10 under 35 U.S.C. § 102(e) 
as being anticipated by Ito et al., U.S. Patent No. 6,684,209 ("Ito"), and rejected claims 1-2, 
4, 6-7, and 9 under 35 U.S.C. § 103(a) as being obvious over Tulloch, "Administering 
Internet Information Server 4," New York, McGraw-Hill Professional, 1998, ISBN: 
0072128232 ("Tulloch") in view of "Microsoft Windows NT Server, Resource Guide," 
Microsoft Press, 1996, ISBN: 1,57231,344,7 ("Windows NT"). Applicants' representative 
respectfully traverses the 35 U.S.C. § 112, second paragraph, 35 U.S.C. § 102(e), and 35 
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USC § 103(a) rejections, for reasons provided below. 
ISSUE 1 

L Whether the 35 U.S.C. § 112, second paragraph rejections of claims 1, 2. 4-5, 7, and 

9-10, the 35 U.S.C. § 102(e) rejection of claims 1-10 as being anticipated by Ito, or the 35 
U.S.C. 103(a) rejections of claims 1-2, 4, 6-7, and 9 as being obvious over Tulloch, in view 
Windows NT, represent reasonable and substantial new grounds for rejection that would 
supplement or eclipse the issues already identified in the Appeal Brief originally filed by 
A pplicants on July 28, 2005. 

35 U.S.C. § 1 12, Second Paragraph Rejections of Claims 1, 2, 4-5, 7, and 9-10 

Beginning on line 10 of page 5, a CDLUN is defined as a type of LUN, as 

follows: 

To reconcile the fact that a number of operations provided to a 
requesting remote computer by a disk array controller may involve 
multiple LUNs to the fact that, in general, in invoking any particular 
operation through many current disk array controller interfaces, a 
remote computer must specify a single target LUN, a type of virtual 
LUN known as a control-device LUN ("CDLUN") is provided by disk 
array controllers as part of the interface through which remote 
computers invoke operations. CDLUNs are essentially points of 
access to various operations provided by, and carried out by, a disk 
array controller, (emphasis added) 

In the italicized phrase of the above-quoted portion of the specification, it is clear that remote 
host computers specify operations with respect to a single target LUN. In the underlined 
phrase of the above-quoted portion of the specification, a CDLUN is defined as a type of 
virtual LUN. In other words, a CDLUN is a subclass or subtype of the class or type LUN. A 
host computer requesting an operation to be carried out by a mass-storage controller specifies 
a LUN target for the operation, and the LUN target can be either a traditional LUN provided 
by the mass-storage controller or a CDLUN. In the first element of claim 1, an access table 
is provided "that includes entries that each represents authorization of a particular remote 
entity to access a particular logical unit." In other words, the access table includes entries 
corresponding to LUNs accessed by remote entities. It is clear from the definition of 
CDLUN that these entries may include either traditional LUNs or CDLUNs, a special type of 
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LUN. In the final element of claim 1, "when a remote entity requests execution of an 
operation directed to a specified control device logical unit," the request is authorized "only 
when an entry currently exists in the access table that represents authorization of the remote 
entity to access the specified control device logical unit." There is nothing unclear or 
indefinite about this language. The second use of the term "specified control device logical 
unit" refers to the first instance of the term "specified control device logical unit" in the third 
element of claim 1, and has full antecedent basis. Moreover, since a control device logical 
unit is simply one type of LUN, there is absolutely no contradiction between the language of 
the third element and the language of the first element, in which an access table is described 
as having entries representing authorization access to logical units. Similarly, there is no 
contradiction in claim 3, or in any other claims depending from claim 1, with regard to 
access-table entries. 

In Applicants* representative's opinion, the 35 U.S.C. §112, second paragraph 
rejections of claims 1, 2, 4-5, 7, and 9-10 are unfounded. Moreover, rejections of this nature 
are not sufficient justification, in Applicants 1 representative's opinion, for pulling the current 
application from appeal and reopening prosecution. If 35 U.S.C. §112, second paragraph, 
rejection remain following disposition of the Appeal, they can be subsequently resolved. The 
prosecution of the current application has been both time consuming and expensive, and 
Applicants would prefer that the originally filed appeal proceed to a decision unless relevant 
new references are cited, or compelling new arguments are offered, by the Examiner. 

35 U.S.C. $ 102(e) Rejection of Claims 1-10 

While Ito discloses subject matter related to the general area of logical units 
provided by storage subsystems to remote host computers, as does the current application, 
and unlike the completely unrelated art cited by the Examiner in the subsequently discussed 
35 U.S.C. § 103(a) rejections, Ito is nonetheless unrelated to the currently claimed invention. 
First, Ito does not teach, mention, or suggest CDLUNs as defined in the current application. 
The Examiner appears to have focused on the use of the term "virtual LUN" in the definition 
of CDLUN, quoted above. Finding that same term used in Ito, the Examiner has apparently 
concluded that, based on similarity in terminology alone, Ito discloses CDLUNs and 
supplemental access tables. However, even a cursory reading of Ito reveals that this is not the 
case. The term "virtual LUN" used in Ito simply refers to a renumbering of LUNs by host 
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computers for ease of reference. For example, considering Figure 14 in Ito, it is apparent that 

there is a strict, one-to-one mapping between LUNs and virtual LUNs. This is explained in 

Ito beginning on line 50 of column 12. Ito's virtual LUN is simply a different numerical 

value used by a host computer to refer to a LUN provided by a storage subsystem. Ito does 

not once teach, mention, or suggest a CDLUN that is used by remote host computers as a 

single target, or single numerical value, to represent controller functionality involving 

multiple LUNs. For this reason alone, Ito cannot possibly anticipate the claims of the current 

application, which explicitly recite both LUNs and CDLUNs. Please refer to the Summary of 

Claimed Subject Matter section of this brief for a concise explanation of CDLUNS. 

Secondly, Ito does not teach, mention, or suggest a supplemental access 

management table, as clearly claimed in current claim 1, and all claims that depend from 

claim 1. Instead, Ito discloses a single LUN access management table. The single LUN 

access management table in Ito has entries with three fields: (1) a WWN field that specifies 

the world-wide name of a particular host computer; (2) the field "virtual LUN" that specifies 

the numerical values, or virtual LUNs, by which a host computer references LUNs provided 

by the storage subsystem; and (3) a LUN field that specifies, in one-to-one correspondence 

with the virtual LUN field entries, the numerical values by which the storage subsystem 

refers to these same LUNs. The virtual LUN field of each entry of the LUN access 

management table disclosed in Ito simply serves as a translation device, or dictionary, for 

translating a numerical value used by a host computer to a corresponding numerical values 

used by the storage subsystem to reference a single LUN. By contrast, the first paragraph in 

the Summary of the Invention section of the current application clearly describes a very 

different access table and supplemental access table used in embodiments of the current 

invention, and clearly claimed in claims 1-10: 

In one embodiment of the present invention, a disk array controller 
uses two access tables in order to check for authorization of an 
operation requested by a remote computer, directed to a target 
CDLUN, that includes specification of additional LUNs. First, the 
disk array controller determines whether there is an entry in a first 
access table having indications of a LUN, port, and remote computer 
identifier equal to the specified target CDLUN of the request, the port 
through which the request was received, and the unique identifier of 
the remote computer from which the request was received. When such 
an entry is present in the first access table, then the disk array 
controller assumes that the requesting remote computer is authorized 
to access the target CDLUN. Next, the disk array controller checks a 
second, supplemental access table to determine if, for each additional 
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LUN specified as part of the request for execution of the operation, 
there exists an entry containing an indication of the additional LUN 
paired with an indication of the specified target CDLUN for the 
operation. Only when the disk array controller finds such an entry in 
the supplemental access table for each additional LUN specified in the 
request for execution of the operation does the disk array controller 
authorize execution of the operation. 

The first access table described in the above-quoted portion of the Summary of the Invention 
section of the current application is similar to the LUN access management table disclosed in 
Ito, although the first access table of the current invention includes additional fields. 
However, the supplemental access table of the current invention has no analogy or 
counterpart in the teachings of Ito. Note that the supplemental access table essentially 
specifies which LUNs a particular CDLUN may access, or which may be accessed through a 
particular CDLUN. As described in the above-quoted portion of the Summary of the 
Invention section, when a host computer specifies a CDLUN target for a requested operation, 
the storage-system controller first determines, by accessing the first access table, whether the 
host computer is authorized to access the specified CDLUN. When the host computer is 
authorized to access the specified CDLUN, then in a second operation, the storage-subsystem 
controller accesses the supplemental access table to see whether the CDLUN specified by the 
host computer can access each of the LUNs involved in the operation requested by the host 
computer. The first access table maps host computers to LUNs, where a LUN may be a 
traditional LUN or a CDLUN, while the supplemental access table maps CDLUNs to LUNs. 
Ito does not mention or suggest such a supplemental access table, which is not surprising, 
since Ito does not teach, mention, or suggest CDLUNs. In the paragraph of Ito beginning on 
line 60 of column 9, Ito describes use of Ito's LUN access management table. The storage- 
subsystem controller simply decides whether a host's computer may access a LUN specified 
by the host computer. There is no second operation undertaken when the specified LUN is a 
CDLUN for determining whether the specified CDLUN may access particular LUNs 
involved in the operation. 

In M.P.E.P. §2131, the grounds for an anticipation rejection are clearly stated 

as follows: 

TO ANTICIPATE A CLAIM, THE REFERENCE MUST 
TEACH EVERY ELEMENT OF THE CLAIM 

"A claim is anticipated only if each and every element as set forth in 
the claim is found, either expressly or inherently described, in a single 
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prior art reference." Verdegaal Bros. v. Union Oil Co. of California, 
814 F.2d 628, 631, 2 USPQ2d 1051, 1053 (Fed. Cir. 1987). "The 
identical invention must be shown in as complete detail as is contained 
in the . . . claim." Richardson v. Suzuki Motor Co., 868 F.2d 1226, 
1236, 9 USPQ2d 1913, 1920 (Fed. Cir. 1989). 

Other than the fact that Ito discloses subject matter related to the general topic of LUNs 
provided by storage systems to remote host computers, Applicants 1 representative can see no 
possible justification for citing Ito against any of the claims of the current application. Ito is 
unrelated to, and does not teach, mention, or suggest, CDLUNs and supplemental access 
tables, which, being elements of claim 1 and all claims that depend from claim 1, must be 
found in order for the cited reference for the cited reference to anticipate the claims. The 
prosecution of the current application has already proved both time-consuming and 
expensive, and Applicants would prefer that the appeal process based on the originally filed 
appeal brief continue unless the Examiner can offer new, relevant references or new and 
compelling arguments. The 35 U.S.C. § 102(e) rejections based on Ito are unfounded, and do 
not warrant the reopening of prosecution and attendant further delay and expense in resolving 
the issues to which the appeal is addressed. 

35 U.S.C. 103fa > ) rejections of claims 1-2, 4, 6-7, and 9 
The Examiner's 35 U.S.C. §103(a) rejections are not new. They are 
substantially the same rejections to which the originally filed appeal brief was, in part, 
directed. In these rejections, the Examiner attempts to draw a correspondence between the 
mass-storage-controller LUN-access-control methods of embodiments of the present 
invention to high-level file servers and web servers. As discussed in the originally filed 
appeal brief, this attempt to cite a general reference discussing administration tools used by 
human administrators of networked computers against claims directed to a detailed access 
control method within disk arrays and other storage subsystems is completely unfounded. 
The originally filed appeal brief discusses these rejections in detail. 

The Examiner's position appears to be that, because access is controlled in 
high-level file systems, an entirely different, and more specific, method for controlling access 
by remote host computers to low-level logical units provided by a mass-storage controller are 
obvious. The Examiner, for example, claims on page 10, section 30 of the Office Action that 
Tulloch teaches control device logical units by referring to an "Internet information server 4.0 
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that allows administrators to organize web content ... by using . . . virtual servers." 

CDLUNs are defined in the current application as a virtual LUN, or logical unit, that serves 

as a single LUN target for specifying operations by remote host computers to mass-storage 

controllers that involve multiple logical units, or LUNs, within the mass-storage device. 

Neither a CDLUN nor a LUN is a virtual server or a server of any kind, and neither has 

anything whatsoever to do with administrating web content. In section 32 and 33 of the 

Office Action, the Examiner states: 

Tulloch does not explicitly teach providing a supplemental access 
table that includes entries that each represent authorization of a 
particular remote client to access a particular logical unit. However, as 
indicated above, in process of a CDLUN set up one "maps" the 
CDLUN to a LUN and thus it is clear that correlation of CDLUN and 
LUN must be kept in some memory storage by the computer 
(otherwise there would be no need to explicitly correlate these two 
entities). Also, it is are old, well-known and widely used in the art of 
computing to utilize tables to store related information (e.g. Tulloch, 
pg. 152 Table 4-2). Thus, even though Tulloch does not explicitly 
teach a supplemental access table it would have been obvious to one of 
ordinary skill in the art at the time of applicant's invention to keep 
information comprising CDLUNs with correlating LUNs in a table 
given the benefit of quick and easy access to related data. 

As discussed above, Tulloch neither teaches nor discloses anything related to LUNs or 
CDLUNs. Thus, the attempt by the Examiner to infer implicit teaching of a supplemental 
access table that is neither mentioned nor suggested in the reference is, in Applicants 1 
representative's respectfully offered opinion, completely unfounded. The supplemental 
access table is defined, in the current application, to contain entries that each maps a CDLUN 
to mass-storage-device-controller-provided LUNs that can be accessed by the CDLUN during 
a multi-LUN operation specified by a remote host computer. This has nothing to do with 
web servers, human administrators, or anything else taught, disclosed, mentioned, or 
suggested in Tulloch. The supplemental access table is claimed, in claim 1, with respect to a 
well-defined set of steps undertaken by a mass-storage-device controller to authorize a 
request made by a remote host computer. There is neither mention nor suggestion in Tulloch 
of any kind of access operation carried out by a mass-storage-device controller on behalf of 
remote computers. Access control in high-level file systems is not carried out by mass- 
storage devices, but is instead carried out by operating systems on general purpose 
computers. Access control in high-level file systems is not carried out on a logical-unit basis, 
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but is instead carried out on files and directories. The Examiner has apparently failed to 
grasp the distinction between LUNs and CDLUNs, and thus has failed to point to an object or 
entity in a high-level file system that serves the same purpose as a CDLUN serves in a mass- 
storage controller. Finally, Tulloch and Windows NT are very high level, descriptive 
documents that do not provide technical detail, table structures, or access-control-method 
algorithms. The Examiner, in section after section of the Office Action, infers an implicit 
teaching of a specific detail or teaching from a high-level description of generally unrelated 
file-system objects. This does not constitute finding a teaching, disclosure, or even 
suggestion of the claim elements of the current claims in Tulloch or Windows NT, but instead 
constitutes renaming unrelated concepts and entities in the cited references to correspond to 
claim terms. 

In order to establish a prima facie case for obviousness, as stated in MPEP § 
2143, citing In re Vaeck, "[T]he prior art reference (or references when combined) must teach 
or suggest all the claim limitations." Claim 1 specifically and in great detail claims the access 
table and supplemental access table of the current invention, along with a clear and detailed 
description of how a mass-storage-device controller uses the access table and supplemental 
access table in order to authorize an operation requested by a remote host computer with 
respect to a CDLUN target. Tulloch and Windows NT are very high-level discussions of 
human-user administrative interfaces and network security. There is nothing in either 
reference that teaches, mentions, or suggests an access table and supplemental access table, as 
claimed in claim 1, nor teach or mention anything at all related to mass-storage-device- 
controller authorization steps, activities, provision of logical units, or other aspects of 
embodiments of the current invention. 

In the originally filed appeal brief, Applicants' representative has already 
responded, in detail, to the 35 U.S.C. §103(a) rejections again presented by the Examiner in 
the Office Action of November 17, 2005. Applicants would prefer not to incur additional 
time delays and expense in further prosecution of the current application, and would instead 
prefer to proceed with the appeal to which the originally filed appeal brief was directed, 
unless the Examiner provides either new, relevant references or compelling new arguments. 
The 35 U.S.C. § 103(a) rejections are neither new nor compelling. 
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CONCLUSION 


The newly asserted 35 U.S.C. § 112, second paragraph, rejections are 


unfounded, and, in Applicants' representative's opinion, do not justify reopening of 
prosecution. The Examiner has failed to establish a prima facie case for anticipation based 
on the unrelated reference Ito, and has again failed to establish a prima facie case for 
obviousness in the Examiner's 35 U.S.C. § 103(a) rejections based on the completely 
unrelated references Tulloch and Windows NT. Reopening of prosecution represents, for 
Applicants, significant additional expenditure and time delays, and would only be justifiable 
were the Examiner to point to new, relevant references or to offer new and compelling 
arguments. Instead, the Examiner has offered only unfounded 35 U.S.C. § 112, second 
paragraph, rejections, 35 U.S.C. § 102(e) rejections based on reference that does not teach, 
disclose, or even suggest CDLUNs, supplemental access tables, and many other elements of 
the claims, and restated unfounded 35 U.S.C. § 103(a) rejections based on the completely 
unrelated references. Applicants therefore request that the Appeal be reinstated. 
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CLAIMS APPENDIX 

1 . A method for authorizing access by remote entities to logical units provided 
by a mass storage device comprising: 

providing an access table that includes entries that each represents 
authorization of a particular remote entity to access a particular logical unit; 

providing a supplemental access table that includes entries that each represents 
authorization of a particular control device logical unit to access a particular logical unit; and 

when a remote entity requests execution of an operation directed to a specified 
control device logical unit and involving one or more additional specified logical units, 

authorizing the request for execution of the operation only when an 
entry currently exists in the access table that represents authorization of the remote entity to 
access the specified control device logical unit and, for each of the one or more additional 
specified logical units, an entry exists in the supplemental access table that represents 
authorization of the specified control device logical unit to access the additional specified 
logical unit. 

2. The method of claim 1 wherein the mass storage device includes ports through 
which requests from remote entities are received, and wherein authorizing a request for 
execution is carried out by a controller within the mass storage device. 

3. The method of claim 2 wherein the access table includes entries each 
comprising: 

an indication of a logical unit or control device logical unit; 

an indication of a port; and 

an indication of a remote entity. 

4. The method of claim 2 wherein the supplemental access table includes entries 
each comprising: 

an indication of a control device logical unit; and 
an indication of a logical unit. 
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5. The method of claim 2 wherein the mass storage device is a disk array and 
remote entities are remote computers interconnected with the disk array via a 
communications medium. 

6. An authorization system for authorizing access by remote entities to logical 
units provided by a mass storage device comprising: 

a request detecting component that detects requests for execution of an 
operation generated by a remote entity; 

an access table that includes entries that each represents authorization of a 
particular remote entity to access a particular logical unit; 

a supplemental access table that includes entries that each represents 
authorization of a particular control device logical unit to access a particular logical unit; and 

control logic that authorizes a request made by a remote entity, detected by the 
request detecting component, directed to a specified control device logical unit and involving 
one or more additional specified logical units only when an entry exists in the access table 
that represents authorization of the remote entity to access the specified control device logical 
unit and, for each of the one or more additional specified logical units, an entry exists in the 
supplemental access table that represents authorization of the specified control device logical 
unit to access the additional specified logical unit. 

7. The system of claim 6 wherein the mass storage device includes ports through 
which requests from remote entities are received, and wherein the control logic resides within 
the mass storage device. 

8. The system of claim 7 wherein the access table includes entries each 
comprising: 

an indication of a logical unit or control device logical unit; 

an indication of a port; and 

an indication of a remote entity. 
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9. The system of claim 7 wherein the supplemental access table includes entries 
each comprising: 

an indication of a control device logical unit; and 
an indication of a logical unit. 

10. The system of claim 7 wherein the mass storage device is a disk array and 
remote entities are remote computers interconnected with the disk array via a 
communications medium. 
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